Passive SSH

Passive SSH is an open source framework composed of a scanner and server to store and lookup the SSH keys and fingerprints per host (IPv4/IPv6/onion).

The key materials along fingerprints and hosts are stored in a fast-lookup database. The system provides an historical view of SSH keys seen but also common key materials reused on different IP addresses.

Features

A simple SSH scanner
A server storing key materials in a Redis database
A simple ReST API to lookup by SSH fingerprints (including hassh or host (IPv4, IPv6 or onion addresses)
Statistics of SSH banners and SSH fingerprints

Server Requirements

Python >= 3.6
Redis >5.0
tornado

Scanner Requirements

Python >= 3.6
D4 paramiko
pysocks (required to scan Tor hidden services)

Install

./install.sh

Install Redis and all pythons requirements.
All Python 3 code will be installed in a virtualenv (PSSHENV).

Tor proxy

The ssh scanner can be used with a Tor proxy to scan a host or an hidden service.

Don’t forget to install the Tor proxy if you want to scan Tor hidden services: sudo apt-get install tor -y

Running

Launch the redis and the tornado server:

./LAUNCH -l

Manual scan

A SSH scanner is included to scan small networks or internal infrastructure.

. ./PSSHENV/bin/activate
cd bin/

# Scan a host
./ssh_scan.py -t <host: 10.0.0.12>

# Scan a network range
./ssh_scan.py -r <network range: 10.0.0.0/8>

API

An API is available to query the Passive SSH server.

By default, the tornado server for Passive SSH is running on port 8500.

curl http://localhost:8500/banners

Endpoints

`/stats`

Return server staticstics:

number of SSH banners
number of scanned hosts:
- ip
- onion
number of fingerprints by type

`/banners`

Return all banners ordered by scores

`/banner/hosts/<banner>`

Get hosts by banner:

banner
list of hosts

`/keys/types`

Return the list of all keys types

`/host/ssh/<host>`

Return host SSH metadata:

first seen
last seen
ports
list of banners
list of fingerprints

`/host/history/<host>`

Return the SSH history of an host

`/fingerprints`

Return all fingerprints ordered by scores

`/fingerprint/all/<fingerprint>`

Get hosts by fingerprint:

first seen
last seen
key type
key base64
fingerprint
list of hosts

`/fingerprint/type/<key_type>/<fingerprint>`

Get hosts by type of key and fingerprint:

first seen
last seen
key type
key base64
fingerprint
list of hosts

`/hasshs`

Return all hasshs ordered by scores

`/hassh/hosts/<hassh>`

Get hosts by hassh:

hassh
list of hosts
kexinit
Existing Passive SSH database
CIRCL Passive SSH - access can be requested if you are a CSIRT member of FIRST.org, TF-CSIRT, CNW network or vetted security researchers.

License

The software is free software/open source released under the GNU Affero General Public License version 3.

Passive SSH

Features

Server Requirements

Scanner Requirements

Install

Tor proxy

Running

Manual scan

API

Endpoints

/stats

/banners

/banner/hosts/<banner>

/keys/types

/host/ssh/<host>

/host/history/<host>

/fingerprints

/fingerprint/all/<fingerprint>

/fingerprint/type/<key_type>/<fingerprint>

/hasshs

/hassh/hosts/<hassh>

Existing Passive SSH database